Directus supports the standard Create, Read, Update, and Delete permissions, and adds additional support for Comments and Explanations. Furthermore, some privileges have the ability to be scoped to the current user or other their role. Below are all of the collection-level permissions:

To enforce the mine and role permissions described above, Directus needs to know who created an item. Additionally, you may want to track when an item was created, or when it was last updated. This can all happen automatically, but you first must include a few system fields.

User Created – Stores the ID of the user who created this item. Setup: Create a field with the user_created interface

This field is required to use the mine and role permissions

DateTime Created – Stores the GMT datetime this item was created. Setup: Create a field with the datetime_created interface

User Updated – Stores the ID of the last user to update this item. Setup: Create a field with the user_updated interface

DateTime Updated – Stores the GMT datetime this item was last updated. Setup: Create a field with the datetime_updated interface

TIP

There are dedicated interfaces available to make it easier to set up the above fields.

Clicking "Fields" allows you to blacklist certain fields for either read and write. This allows you to control which fields are visible or editable within the collection. By default, fields are both readable and writable.

Clicking "Allowed Statuses" allows you to blacklist certain status options. This allows you to control which status options a user can choose – for example, not allowing an Intern to publish items. By default, all statuses are available.

Workflows are one of the most powerful features of Directus, allowing for all permissions to be controlled per status. Workflow is enabled by clicking the arrows at the far right to expand the collection into Workflow mode and show dedicated permission rows for each status.

In addition to the custom options set within your status interface, there is always a "On Creation" option that sets permissions for when an item is being created. This is useful because when an item is being created it doesn't yet have a status set.

Below the permissions interface is a toggle to show the Directus system collections. These permissions are automatically generated when new roles are created and can be used to control certain system pages, such as: File Library, User Directory, and My Activity.

WARNING

Changing the default system permissions can result in unexpected behavior or a completely broken platform. The API and App rely on certain data. For example, full read permission for directus_users is required. Only update these values if you know exactly what you're doing.

You can also control access to Directus based on a user's IP address. This is useful if you need to limit access to specific offices or locations, provided they have a static IP address. Simply add a CSV of IP addresses to limit, or leave blank to not limit.